CVS commit: src/sys/kern

[Kamil Rytarowski]

Module Name:    src
Committed By:   kamil
Date:           Fri Sep 20 13:29:31 UTC 2019

Modified Files:
        src/sys/kern: vfs_syscalls.c

Log Message:
Validate usec ranges in do_sys_utimes()

sys/kern/vfs_syscalls.c:3939:4, signed integer overflow: 503923632 * 1000 
cannot be represented in type 'int'

Reported-by: syzbot+4cfc86ffd30e8678f...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.534 -r1.535 src/sys/kern/vfs_syscalls.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/vfs_syscalls.c
diff -u src/sys/kern/vfs_syscalls.c:1.534 src/sys/kern/vfs_syscalls.c:1.535
--- src/sys/kern/vfs_syscalls.c:1.534	Sun Sep 15 20:51:03 2019
+++ src/sys/kern/vfs_syscalls.c	Fri Sep 20 13:29:31 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls.c,v 1.534 2019/09/15 20:51:03 christos Exp $	*/
+/*	$NetBSD: vfs_syscalls.c,v 1.535 2019/09/20 13:29:31 kamil Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.534 2019/09/15 20:51:03 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.535 2019/09/20 13:29:31 kamil Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_fileassoc.h"
@@ -3929,14 +3929,22 @@ do_sys_utimes(struct lwp *l, struct vnod
 		if ((tptr[0].tv_usec == UTIME_NOW) || 
 		    (tptr[0].tv_usec == UTIME_OMIT))
 			ts[0].tv_nsec = tptr[0].tv_usec;
-		else
+		else {
+			if (tptr[0].tv_usec < 0 || tptr[0].tv_usec >= 1000000)
+				return EINVAL;
+
 			TIMEVAL_TO_TIMESPEC(&tptr[0], &ts[0]);
+		}
 
 		if ((tptr[1].tv_usec == UTIME_NOW) || 
 		    (tptr[1].tv_usec == UTIME_OMIT))
 			ts[1].tv_nsec = tptr[1].tv_usec;
-		else
+		else {
+			if (tptr[1].tv_usec < 0 || tptr[1].tv_usec >= 1000000)
+				return EINVAL;
+
 			TIMEVAL_TO_TIMESPEC(&tptr[1], &ts[1]);
+		}
 
 		tsptr = &ts[0];	
 	}